Raising an alarm for the IT service providers and manufacturing companies in India, US-based cyber security group FireEye has claimed that a new set of tools is being used by China-based cyber espionage group APT10 to steal confidential business data from domestic firms to support Chinese corporations. FireEye has been tracking APT10 since 2009 and they have historically targeted construction, engineering, aerospace, telecom firms and governments in the US, Europe and Japan. Also Read - Ola to offer free oxygen concentrators to the needyAlso Read - Safer Internet Day 2021: Here's how you can ensure your online security
“IT services have been a core engine of India’s economic growth, with service providers here scaling the value chain to manage business-critical functions of top global organizations. Campaigns like this highlight risks which all organizations should factor into their operations,” said Kaushal Dalal, Managing Director, FireEye, India, in a statement on Monday.
APT10 activity has included both traditional spear phishing and access to victim’s networks through service providers. Service providers have significant access to customer networks, enabling an attacker who had compromised a service provider to move laterally into the network of the service provider’s customer. ALSO READ: Phishing websites stealing information from 26 Indian banks: FireEye report
“Targeting of these industries has been in support of Chinese national security goals, including acquiring valuable military and intelligence information as well as the theft of confidential business data to support Chinese corporations,” said FireEye in an earlier blog post.
In addition, web traffic between a service provider’s customer and a service provider is likely to be viewed as benign by network defenders at the customer, allowing the attacker to exfiltrate data stealthily. APT10 unveiled new tools in its 2016/2017 activity.
“HAYMAKER” and “SNUGRIDE” have been used as first-stage backdoors, while “BUGJUICE” and a customised version of the open source “QUASARRAT” have been used as second stage backdoors. ALSO READ: Indian firms highly vulnerable to data breach: FireEye report
These new pieces of malware show that APT10 is devoting resources to capability development and innovation. HAYMAKER is a backdoor that can download and execute additional payloads in the form of modules. BUGJUICE, also a backdoor, executed by launching a benign file and then hijacking the search order to load a malicious dll into it. That malicious dll then loads encrypted shellcode from the binary, which is decrypted and runs the final BUGJUICE payload. ALSO READ: Government to set up security operations centre for monitoring cybercrime-related incidents
BUGJUICE defaults to TCP using a custom binary protocol to communicate with the C2, but can also use HTTP and HTTPs if directed by the C2. It has the capability to find files, enumerate drives, exfiltrate data, take screenshots and provide a reverse shell. SNUGRIDE communicates with its C2 server through HTTP requests. Messages are encrypted using AES with a static key. The malware’s capabilities include taking a system survey, access to the filesystem, executing commands and a reverse shell. Persistence is maintained through a Run registry key, the post added. QUASARRAT is a fully functional .NET backdoor that has been used by multiple cyber espionage groups in the past.